Traffic surge management for points of presence

ABSTRACT

A system, method, and computer-readable medium for point of presence (POP) based traffic surge detection and mitigation are provided. The system detects a traffic surge for a target group of resources directed at a source POP based on the target group&#39;s rank shifts and volume changes among recent time intervals. The system mitigates the detected traffic surge by identifying destination POPs with spare capacity and routing at least a portion of incoming requests for the target group of resources to the destination POPs in accordance with their spare capacities.

BACKGROUND

Generally described, computing devices and communication networks can be utilized to exchange information. In a common application, a computing device can request content from another computing device via the communication network. For example, a user at a personal computing device can utilize a software browser application to request a Web page or application from a server computing device via the Internet. In such embodiments, the user computing device can be referred to as a client computing device (“client”) and the server computing device can be referred to as a content provider.

Content providers are generally motivated to provide requested content to client computing devices often with consideration of efficiency, reliability, and/or cost associated with the transmission of the content. For larger scale implementations, a content provider may receive content requests from a high volume of client computing devices which can place a strain on the content provider's computing resources. Additionally, the content requested by the client computing devices may have a number of components, which can further place additional strain on the content provider's computing resources.

Some content providers attempt to facilitate the delivery of requested content, such as Web pages or resources identified in Web pages, through the utilization of a content delivery network (“CDN”) service provider. A CDN service provider typically maintains a number of computing devices, generally referred to as “points of presence” or “POPs” in a communication network. The service provider or POPs can include one or more domain name service (“DNS”) computing devices that can process DNS queries from client computing devices. Additionally, the POPs can include network resource storage component that maintain content from various content providers. In turn, content providers can instruct, or otherwise suggest to, client computing devices to request some, or all, of a content provider's content from the CDN service provider's computing devices. As with content providers, CDN service providers are also generally motivated to provide requested content to client computing devices often with consideration of efficiency, reliability, and/or cost associated with the transmission of the content.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing aspects and many of the attendant advantages will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings. Throughout the drawings, reference numbers may be re-used to indicate correspondence between referenced elements. The drawings are provided to illustrate example embodiments described herein and are not intended to limit the scope of the disclosure.

FIG. 1 is a block diagram illustrative of a content delivery environment including a number of client computing devices, a number of content providers, and a content delivery service provider;

FIG. 2 is a block diagram of the content delivery environment of FIG. 1 illustrating the detection of a traffic surge for network resources;

FIG. 3 is a block diagram of the content delivery environment of FIG. 1 illustrating the mitigation of a traffic surge for network resources;

FIG. 4 is a flowchart illustrative of a traffic surge detection routine implemented by a content delivery network service provider; and

FIG. 5 is a flowchart illustrative of a traffic surge mitigation routine implemented by a content delivery network service provider.

FIG. 6 is a flowchart illustrative of a routine implemented by a content delivery network service provider to conclude traffic surge mitigation.

FIG. 7 is an illustrative functional block diagram of a computing device for detecting and mitigating traffic surge.

DETAILED DESCRIPTION

Generally described, the present disclosure is directed to the management and routing of requests from client computing device for network resources. Specifically, aspects of the disclosure will be described with regard to detection of a traffic surge for network resources at points of presence (POPs), based on analyses of current and previous content request volume data. Additionally, aspects of the disclosure will be described with regard to mitigation of a traffic surge via content request routing to multiple POPs, based on traffic surge data and POP capacity information. Illustratively, a traffic surge may correspond to an unexpected and massive surge in volume of requests received at a POP for a target group of network resources. For example, one type of traffic surge may correspond to flash crowd traffic, such as where a Web site suddenly catches the attention of a large number of users. Illustratively, this may occur concurrently with reports of breaking news, releases of revolutionary products, openings of popular events, etc., when relevant Web sites may see abrupt surge in traffic. A traffic surge may include legitimate user requests as well as malicious attacks, and may cause slow down or temporary unavailability of content serving functionalities or devices, and therefore should be detected and mitigated. In particular, a traffic surge should not adversely affect the experience of users who do not contribute to the traffic surge (e.g., users who are not requesting any resource of the target group).

In accordance with an illustrative embodiment, a content delivery network (CDN) service provider receives content requests for network resources associated with various content providers. Each content provider may set up groups of network resources (e.g., corresponding to Web pages, Web applications, Web sites, or portions thereof) that the CDN service provider may assist in content delivery. The CDN service provider may include a request routing service for routing incoming content requests to appropriate POPs for processing. For example, in response to a DNS query corresponding to a requested resource, a CDN service provider may select a POP to serve the resource request based on a geographic proximity between the POP and the requesting client device.

At regular time intervals (e.g., every minute), a traffic surge detection service of the CDN service provider obtains data regarding request volumes for various groups of resources received at each POP during a most recent period of time (e.g., the minute that just passed). The data may be a list of resource groups ordered by their associated request volume during the most recent period of time. Based on the request volume data corresponding to temporally ordered time periods, the traffic surge detection service may determine resource groups that begin to receive a traffic surge at any POP in substantially real time. In addition, the traffic surge detection service may obtain data indicating the magnitude, or rate, of change in volume of requests for a resource group. For example, this data may indicate that a certain resource group experienced a spike in requests in a 10 second span that exceeds a certain threshold (e.g, a percentage) of the normal request fluctuations. This could also indicate that, while it may not be problematic for requests to spike from 10 requests to 50 requests in a matter of five minutes, that same increase in requests over five seconds may be indicative of a traffic surge.

For example, for each POP, the traffic surge detection service may identify a resource group that is ranked within the top 10 groups by request volume for the most recent time period. The ranking may also take into account and be based upon the rate of change of resource groups. The traffic surge detection service may then determine whether the identified group also appears within the top 10 groups by request volume during a specified number of time periods prior to the most recent time period. If the identified resource group is not one of the top 10 requested groups for any prior time periods, the traffic surge detection service may label the identified resource group as a candidate group for further determination.

For the candidate group, the traffic surge detection service determines a shift in its rank by request volume as between prior time periods and the most recent time period. The traffic surge detection service may further determine a magnitude of change in request volume for the candidate group between prior time periods and the most recent time period, or the rate of change in request volume over a particular time period or a particular set of time periods. Applying predetermined or dynamically generated thresholds to the change of rank and/or magnitude in terms of request volume, the traffic surge detection service may determine that the candidate group is currently receiving a traffic surge. The traffic surge detection service may then generate a traffic surge alert including information about the affected POP, the identified group of resources, the most recent request volume corresponding to the group, etc.

The traffic surge alert may be provided to a traffic surge mitigation service of the CDN service provider so that the traffic surge can be mitigated. The traffic surge mitigation service may constantly estimate current spare capacities of individual POPs for processing content requests. Illustratively, at regular time intervals (e.g., every minute), each POP may provide data regarding a total volume of requests that are processed by the POP during the most recent period of time. The estimated spare capacity may correspond to a difference between a maximum quantity of content requests that can be processed by the POP (e.g., as limited by its networking or computational capacity) and the total volume of requests processed during the most recent period of time.

Upon receipt of a traffic surge alert for a source POP that identifies a target resource group as receiving a traffic surge, the traffic surge mitigation service determines whether the source POP may absorb the surged traffic based on its estimated spare capacity. If not, the traffic surge mitigation service attempts to identify one or more destination POPs to spread the surged traffic. The traffic surge mitigation service may identify a list of destination POPs based on a combination of factors, such as their corresponding estimated spare capacity, geographic or network-based proximity to the source POP or clients generating the traffic surge, groups of resources currently being served, latency, bandwidth, other POP performance factors, combination of the same, or the like.

The traffic surge mitigation service may distribute the traffic surge request volume, as reported in the traffic surge alert, across the source POP and a sufficient number of identified destination POPs based on their corresponding estimated spare capacities. The traffic surge mitigation service may then calculate a corresponding routing weight for each of the source and destination POPs that will serve future traffic, based on their respective proportions of the traffic surge request volume as distributed. The traffic surge mitigation service may then cause modification of a routing policy or mechanism, which can be implemented by the routing service of the CDN service provider, for routing incoming requests for network resources corresponding to the target group, in accordance with the calculated routing weights. For example, the modified routing policy may enable the routing service to probabilistically route any incoming requests for the target group received during the next period of time to the source POP or one of the destination POPs based on their respective routing weights.

The traffic surge mitigation service continues to monitor the request volumes for the target group received at the source and destination POPs as incoming traffic is routed during subsequent time periods. In doing so, the traffic surge mitigation service may calculate an aggregate request volume for the target group based on respective volumes received at each applicable POP. For each of the subsequent time periods, the traffic surge mitigation service may adjust the routing weights, adding or removing destination POPs, or otherwise modifying the routing policy or mechanism in response to changes in the aggregate request volume for the target group. If the aggregate request volume returns to a level manageable by the source POP alone (e.g., within a threshold of an average request volume for a number of time periods prior to the detection of traffic surge), the traffic surge mitigation service may terminate the mitigation process and cause the routing service to resume its usual routing functionalities with respect to incoming traffic for the target group.

Although various aspects of the disclosure will be described with regard to illustrative examples and embodiments, one skilled in the art will appreciate that the disclosed embodiments and examples should not be construed as limiting. For example, although aspects of the disclosure will be described with regard to specific service providers such as a CDN service provider, one skilled in the relevant art will appreciate that aspects of the disclosure may be implemented by various types of service providers or that a service provider implementing aspects of the disclosure is not required to have the specific components utilized in the illustrative examples.

FIG. 1 is a block diagram illustrative of content delivery environment 100 for the management and processing of content requests. As illustrated in FIG. 1, the content delivery environment 100 includes a number of client computing devices 102 (“clients”) for requesting content from a content provider and/or a CDN service provider. In an illustrative embodiment, the clients 102 can correspond to a wide variety of computing devices including personal computing devices, laptop computing devices, hand-held computing devices, terminal computing devices, mobile devices, wireless devices, various electronic devices and appliances and the like.

In an illustrative embodiment, the clients 102 include necessary hardware and software components for establishing communications over a communication network 108. For example, the client computing devices 102 may be equipped with networking equipment and browser software applications that facilitate communications via the communication network 108. The network 108 can be a publicly accessible network of linked networks, possibly operated by various distinct parties, such as the Internet. In other embodiments, the network 108 may include a private network, personal area network (“PAN”), LAN, WAN, cable network, satellite network, any other medium of computer data transfer, or some combination thereof.

The clients 102 may also include necessary hardware and software components for requesting content from network entities in the form of an originally requested resource that may include identifiers to two or more embedded resources that need to be requested. Further, the clients 102 may include or be associated with necessary hardware and software components, such as browser software applications, plugins, scripts, etc., for fulfilling the original resource request and each embedded resource request. In other embodiments, the client computing devices 102 may be otherwise associated with an external proxy application or device, as well as any other additional software applications or software services, used in conjunction with requests for content.

Although not illustrated in FIG. 1, each client 102 may utilize some type of DNS resolver component, that generates DNS queries attributed to the client computing device. In one embodiment, the DNS resolver component may be provided by an enterprise network to which the client 102 belongs. In another embodiment, the DNS resolver component may be provided by an Internet Service Provider (ISP) that provides the communication network connection to the client 102.

The content delivery environment 100 also includes one or more content providers 104 in communication with the clients 102 via the communication network 108. The content provider 104 illustrated in FIG. 1 corresponds to a logical association of one or more computing devices associated with a content provider. Specifically, the content provider 104 can include one or more server computing devices for obtaining and processing requests for content (such as Web pages) from the clients 102. The content provider 104 can further include one or more computing devices for obtaining and processing requests for network resources from the CDN service provider. One skilled in the relevant art will appreciate that the content provider 104 can be associated with various additional computing resources, such additional computing devices for administration of content and resources, DNS name servers, and the like.

With continued reference to FIG. 1, the content delivery environment 100 further includes a CDN service provider 106 in communication with the clients 102 and the content providers 104 via the communication network 108. The CDN service provider 106 illustrated in FIG. 1 corresponds to a logical association of one or more computing devices associated with a CDN service provider. Specifically, the CDN service provider 106 can include a number of points of presence (“POP”) locations 116 that correspond to nodes on the communication network 108. Each POP 116 may include a number of DNS server computing devices for resolving DNS queries from the clients 102. Each POP 116 may also include a number of cache server computing devices for storing resources from content providers and transmitting various requested resources to various client computers. Further, although the POPs 116 are illustrated in FIG. 1 as logically associated with the CDN service provider 106, the POPs can be geographically distributed throughout the communication network 108 to serve the various demographics of clients 102. Additionally, one skilled in the relevant art will appreciate that the CDN service provider 106 can be associated with various additional computing resources, such additional computing devices for administration of content and resources, and the like.

The CDN service provider 106 can include a request routing service 120 for routing content requests to various POPs 116 for processing, a traffic surge detection service 130 for detecting traffic surges for each POP 116, and a traffic surge mitigation service 140 for determining traffic surge mitigation strategies. For example, the request routing service 120 may include or otherwise be associated with a number of DNS server computing devices for resolving DNS queries from the clients 102. The DNS server computing devices associated with the request routing service 120 may or may not include DNS devices associated with individual POPs 116. Illustratively, the request routing service 102 may implement various routing policies or mechanisms to facilitate the traffic surge detection and mitigation functionalities disclosed herein.

The traffic surge detection service 130 can implement various computational, statistical, or machine learning methods to detect traffic surges based on volumes of content requests received at individual POPs 116 for various groups of network resources. Illustratively, the traffic surge detection service 130 may obtain request volume data corresponding to consecutive time intervals from the POPs 116. The traffic surge detection service 130 may identify resource groups corresponding to high request volumes and compare their rankings in terms of request volume across a number of recent and/or historical time intervals. The traffic surge detection service 130 may also compare changes in the magnitude of request volumes across time intervals for the highly requested resource groups. The traffic surge detection service 130 may conduct these comparisons with predetermined or dynamically generated thresholds or criteria, and determine resource groups that are considered targets of a traffic surge for each POP 116.

In some embodiments, the traffic surge detection service 130 may detect traffic surges based on rate of change in traffic volume. Illustratively, the traffic surge detection service 130 may estimate first and/or second derivatives of request volume as a function of time, based on the traffic volumes as sampled from each time period. The traffic surge detection service 130 may determine whether the estimated first and/or second derivatives exceeds predetermined thresholds for a recent time. As another example, the traffic surge detection service 130 may compute a correlation coefficient between request volume and time (or time periods) over request volumes reported in a number of recent time periods, and determine whether the coefficient exceeds certain threshold. These methods can be used independently or in conjunction with other analysis and comparisons as described above.

The traffic surge mitigation service 140 can implement various computational methods for developing traffic surge mitigation strategies. Illustratively, the traffic surge mitigation service 140 may estimate current or future spare capacities of various POPs 116 for processing content requests, determine whether a source POP has capacity to absorb detected traffic surge, or identify destination POPs that may be suitable for handling at least a portion of the surged traffic. Additionally, the traffic surge mitigation service 140 may create or update request routing policies implemented by the request routing service 120, for routing future requests for any target resource groups receiving a traffic surge in accordance with determined mitigation strategies.

Further, these modules or components may include additional components, systems, and subsystems for facilitating the methods and processes. In various embodiments, reference to the request routing service 120, the traffic surge detection service 130, or the traffic surge mitigation service 140 may include multiple computing devices working in conjunction to facilitate the functionalities disclosed herein. For example, in various embodiments, the services may be distributed through a network or implemented by one or more virtual machine instances. Additionally or alternatively, the request routing service 120, the traffic surge detection service 130, or the traffic surge mitigation service 140 may be centralized in one computing device, and/or be distributed across several computing devices.

With reference now to FIG. 2 and FIG. 3, the interaction between various components of the content delivery environment 100 of FIG. 1 will be illustrated. For purposes of the example, however, the illustration has been simplified such that many of the components utilized to facilitate communications are not shown. One skilled in the relevant art will appreciate that such components can be utilized and that additional interactions would accordingly occur without departing from the spirit and scope of the present disclosure.

FIG. 2 is a block diagram of the data communication environment 100 of FIG. 1 illustrating the detection of a traffic surge for network resources. As illustrated in FIG. 2, at (1), one or more clients 102 transmit content requests to the CDN service provider 106 for network resources associated with various content providers. As described above, the network resources may correspond to different groups in accordance with their corresponding criteria. For example, each content provider may define one or more groups of network resources (e.g., as corresponding to Web pages, Web applications, Web sites, or portions thereof) that the CDN service provider may assist in delivering to clients 102.

In accordance with an illustrative embodiment, a content request may include a DNS query for a resource's uniform resource locator (URL). After resolution of the DNS query, a content retrieval request may follow accordingly, based on common network protocols, such as the hypertext transfer protocol (“HTTP”). The URLs for requested network resources may indicate or otherwise provide information for the CDN service provider 106 to correlate each content request to a specific group of network resources. For example, the URL may include a designation of domain or subdomain, which corresponds to an identification of one of the network resource groups defined by various content providers 104. In some embodiments, the content requests may not be directly transmitted from clients 102 to the CDN service provider 106. For example, there may be one or more intermediate entities, such as DNS resolvers or proxy devices, between the clients 102 and the CDN service provider 106.

At (2), the CDN service provider 106 processes the content requests. In some embodiments, the content requests are received at the request routing service 120. The request routing service 120 may route each request to an appropriate POP 116 in accordance with existing routing policies. For example, the request routing service 120 may resolve DNS queries by replying to the queries with network routing information, such as Internet Protocol (IP) addresses, for the selected POPs 116. The selection of a POP to serve the request can be based on a network-based proximity between the POP and the requesting client 102 or an intermediate entity. Following the routing, individual POPs 116 may receive content requests directed thereto. In other embodiments, the request routing service 120 is implemented in a distributed fashion at individual POPs 116. In these embodiments, certain content requests received at one POP may or may not be routed to another POP.

At (3), each POP 116 generates data regarding request volume (e.g., a total number of requests during a certain period of time) received at the POP for various groups of network resources, and transmits the request volume data to the traffic surge detection service 130 or to a data repository that the traffic surge detection service 130 has access to. The data can be transmitted at regular time intervals (e.g., every 10 seconds), upon request by the traffic surge detection service 130, or based on the occurrence of triggering events. Illustratively, the data may be a list of resource groups associated with their respective request volume during a most recent period of time (e.g., the 30 seconds that just passed). The time periods for each round of request volume can be consecutive, disjoint, or overlapping. For example, request volumes can be calculated on a 60-second basis while the data generation and transmission can be performed every 30 seconds, that is, there can be an underlying 30-second overlap of time between the request volume data of any two consecutive data transmissions. As described above, rate of changes within a time period of among several time periods can be calculated as well.

The number of resource groups included in the transmitted data may be predetermined. For example, the data may include a set of top 50 groups of resources as measured by their respective request volume. Alternatively or in addition, the number of resource groups included in the data may be dynamically determined. For example, only those groups associated with request volumes, or request volume rates of change, higher than a threshold value will be included. In some embodiments, the data includes any and all resource groups that a respective POP 116 has assisted in content delivery during the most recent period of time.

At (4), the traffic surge detection service 130 detects a traffic surge based on the request volume data for various groups of network resources. In some embodiments, the traffic surge detection service 130 may analyze the request volume data for each POP 116 individually. For example, the traffic surge detection service 130 may parse the request volume data of a POP and identify 10 resource groups (e.g., corresponding to 10 different Web pages) that are associated with the highest 10 request volumes received at the POP for the most recent time period. The traffic surge detection service 130 may then determine whether any of the identified 10 groups was not associated with a sufficiently high request volume in a number of time periods prior to the most recent time period. Illustratively, this can be achieved by comparing the identified 10 resource groups against a specified number (e.g., an integer equal to or greater than 10) of top groups as ranked by request volume during previous time periods. In some embodiments, the ranking of groups can be based on their respective rate of change in request volumes, which can be estimated or calculated based on methods described above or known in relevant technical fields.

If all identified resource groups consistently appear within the top ranks for a number of previous time periods, they are not considered traffic surge targets because there is no abrupt surge of request volume. If an identified resource group is not one of the top requested groups for some previous time periods, the traffic surge detection service 130 may label the identified resource group as a candidate group for further determination. For the candidate group, the traffic surge detection service 130 may determine a shift in its rank by request volume as between one or more previous time periods and the most recent time period. If the shift in rank exceeds a threshold measure, the identified resource group may be considered a target receiving a traffic surge.

Alternatively or in addition, the traffic surge detection service 130 may determine a magnitude of change in request volume for the candidate group between previous time periods and the most recent time period. For example, the traffic surge detection service 130 may calculate a difference or ratio between a request volume of the most recent time period and an average request volume of a specified number of previous time periods. Applying a predetermined or dynamically generated threshold to the calculated difference or ratio, the traffic surge detection service 130 may determine that the candidate group is currently receiving a traffic surge.

The traffic surge detection service 130 may then generate a traffic surge alert including information about the affected POP, the identified group of resources, the most recent request volume corresponding to the group, etc. The generated traffic surge alerts can be transmitted to the traffic surge mitigation service 140, another service, or a system administrator for further processing.

FIG. 3 is a block diagram of the content delivery environment 100 of FIG. 1 illustrating the mitigation of a traffic surge for network resources. As illustrated in FIG. 3, at (1), the traffic surge detection service 130 provides traffic surge data to the traffic surge mitigation service 140. The traffic surge data may include the traffic surge alerts generated by traffic surge detection service 130 as well as any associated metadata, such as information regarding the underlying time periods for determining a traffic surge. In some embodiments, the traffic surge data may be transmitted directly between the services. In other embodiments, the traffic surge data can be maintained by a database or data store accessible to the traffic surge mitigation service 140.

At (2), the traffic surge mitigation service 140 obtains information related to determining spare capacity of individual POPs 116 for processing content requests for various groups of network resources. Illustratively, at regular time intervals (e.g., every 10 seconds), each POP 116 may transmit or otherwise provide data regarding a total volume of requests processed by the POP during the most recent period of time to the traffic surge mitigation service 140. Again, the length of the time interval between two consecutive reports of request volumes may or may not be the same as the time period that serves as basis for calculating the request volumes. Each POP 116 may also provide the traffic surge mitigation service 140 information about content currently being served by the POP 116, current maximum capacity of the POP 116 for serving certain types of content requests, latency, bandwidth, or other performance metrics associated with the POP 116. In some embodiments, another intermediary service or system collects necessary information from individual POPs 116, calculates or estimates spare capacities of the POPs for processing content requests of various groups, and provides the spare capacity information to the traffic surge mitigation service 140 at regular or varied time intervals or upon request.

At (3), for each traffic surge alert that identifies a target resource group as receiving a traffic surge at a source POP 116, the traffic surge mitigation service 140 determines whether the source POP may absorb the traffic surge without adversely affecting its performance. Illustratively, the traffic surge mitigation service 140 may estimate a current spare capacity of a POP 116 for processing requests for the target resource group based on the information obtained at (2). For example, the estimated spare capacity may correspond to a difference between a maximum quantity of content requests that can be processed by the POP 116 (e.g., as limited by its networking or computational capacity) during a future time period and the total volume of requests processed during the most recent period of time. In some embodiments, a cushion capacity (e.g., 10% of the maximum request processing capacity) is reserved for each POP 116 and will be carved out of the estimation. In other words, the maximum capacity may be reduced by the cushion capacity for purposes of estimating the spare capacity.

If the traffic surge mitigation service 140 determines that the source POP 116 does not have sufficient spare capacity to absorb the traffic surge traffic, for example, by comparing its estimated spare capacity against the traffic surge request volume as reported in the traffic surge alert, the traffic surge mitigation service 140 starts identifying one or more destination POPs 116 to spread the surged traffic. The traffic surge mitigation service 140 may identify a list of destination POPs based on a combination of factors, such as their corresponding estimated spare capacity, geographic or network-based proximity to the source POP or clients generating the traffic surge, groups of resources currently being served, latency, bandwidth or POP performance factors, etc. For example, the traffic surge mitigation service 140 may sort a set of POPs 116 based on their geographic distances to the source POP 116 and identify from the set a number of destination POPs 116 that are closest to the source POP 116. The traffic surge mitigation service 140 may also confirm that an aggregate of the estimated spare capacity of the identified destination POPs 116 (when combined with that of the source POP, in some embodiments) are sufficient to handle the traffic surge request volume as reported in the traffic surge alert.

The traffic surge mitigation service 140 may then calculate a corresponding routing weight for each of the source and destination POPs, based on their corresponding estimated spare capacity to process requests for the target group of traffic surge. In some embodiments, the routing weight may further depend on associated latency, bandwidth, estimated timing of peak or non-peak load, or other POP performance factors. The traffic surge mitigation service 140 may then determine a policy or mechanism for routing incoming content requests for network resources corresponding to the target group, in accordance with the calculated routing weights. In some embodiments, the modified routing policy may correspond to a deterministic temporal order of the source POP and the destination POPs that conforms to their routing weights distribution (e.g., always route a first 4 incoming requests to the source POP, the next 2 requests to destination POP 1, . . . , the next 3 requests to destination POP n, and repeat the sequence). In other embodiments, the modified routing policy may correspond to a probabilistic or otherwise randomized decision scheme, where a resource request is more likely to be routed to a POP associated with a larger routing weight.

At (4), the traffic surge mitigation service 140 may communicate the determined routing policy to the routing service 120 or otherwise causing the routing service 120 to update routing policies or mechanisms accordingly. This enables the routing service 120, for a future period of time, to route incoming requests for the target group in accordance with the determined routing policy. Thereafter, the traffic surge mitigation service 140 determines updated routing policies based on new estimates of spare capacities associated with the source and/or destination POPs as described above. This process can be repeated at specified time intervals (e.g., every minute) until no more traffic surge alerts for the target resource group is generated for the source POP. In some embodiments, when a destination POP is selected and starts receiving a portion of surged traffic offloaded from the source POP, traffic surge alerts with respect to the same target group may be generated for the destination POP. In these embodiments, the traffic surge mitigation service 140 may disregard the traffic surge alerts for the target group generated by the destination POPs until the offloading ends.

FIG. 4 is a flowchart illustrative of a traffic surge detection routine implemented by a CDN service provider 106. The routine starts at block 400. At block 402, the CDN service provider 104 obtains current data regarding request volume for network resource groups from each POP 116. Illustratively, the data can be transmitted from each POP 116 to the CDN service provider 106 at regular time intervals (e.g., every minute), upon request by the traffic surge detection service 130, or based on the occurrence of triggering events. The data may be a list of resource groups associated with their respective request volume during a most recent period of time (e.g., the 30 seconds that just passed). As describe above, the time periods for each round of request volume can be consecutive, disjoint, or overlapping.

At block 404, the CDN service provider 106 compares current volume data against prior volume data received from any specific POP 116. For example, the CDN service provider 106 may identify all resource groups that are ranked (e.g., by request volume) higher than a pre-determined first threshold position in the list of resource groups or account for a respective volume higher than can be processed by a certain proportion or percentage of the specific POP's processing capacity, in the most recent time period. The CDN service provider 106 may then determine whether any of the identified groups is ranked below a second threshold position, in some time period(s) prior to the most recent time period. In some embodiments, the second threshold position may be determined based on the identified group's ranking in the most recent time period. For example, the second threshold position may be a function of the identified group's rank in the most recent time period, such as a multiple of the rank value plus a constant offset number.

As described above, in some embodiments, the CDN service provider 106 may detect traffic surges based on rate of change in traffic volume. Illustratively, the CDN service provider 106 may estimate first and/or second derivatives of request volume as a function of time, based on the volumes as sampled from each time period. The CDN service provider 106 may determine whether the estimated first or second derivative exceeds a predetermined threshold for a recent time. As another example, the CDN service provider 106 may compute a correlation coefficient between request volume and time (or time periods) over request volumes reported in a number of recent time periods, and determine whether the coefficient exceeds certain threshold. These methods can be applied independently or in conjunction with other analysis and comparisons as described above.

At block 406, the CDN service provider 106 determines whether a resource group is currently receiving a traffic surge based on the comparison. As described above, if all identified resource groups consistently appear within the top ranks for a number of previous time periods, the resource groups are not considered traffic surge targets because there is no abrupt surge of request volume. If an identified resource group is not one of the top requested groups in some previous time periods (e.g., based on the second threshold positions), the CDN service provider 106 may label the identified resource group as a candidate group for further determination. For the candidate group, the CDN service provider 106 may determine a value change between a function of its ranks (e.g., a weighted average) in multiple previous time periods and its rank in the most recent time period. If the change exceeds a threshold measure, which can be predetermined or dynamically calculated based on any previous or current rank of the candidate group, the candidate group may be considered a target receiving a traffic surge.

Alternatively or in addition, the CDN service provider 106 may determine a magnitude of change in request volume for the candidate group between previous time periods and the most recent time period. For example, the traffic surge detection service 130 may calculate a difference or ratio between a request volume of the most recent time period and a weighted average of request volumes for some previous time periods. Similar to how the rankings may be utilized mathematically, predetermined or dynamically generated thresholds can be applied to the calculated difference or ratio, and the CDN service provider 106 may determine whether the candidate group is receiving a traffic surge. If the CDN service provider 106 determines that the identified resource group is receiving a traffic surge, the routine of FIG. 4 proceeds to block 408. Otherwise, the routine returns to block 402, where more recent data regarding request volume is obtained.

If the routine proceeds to block 408, the CDN service provider 106 provides traffic surge data as determined. The CDN service provider 106 may generate a traffic surge alert including information about the affected POP, the identified group of resources, the most recent request volume corresponding to the group, etc. The traffic surge data can be utilized by the CDN service provider 106, another service, or a system administrator for purposes of mitigating traffic surge. The routine of FIG. 4 ends at block 410.

FIG. 5 is a flowchart illustrative of a traffic surge mitigation routine implemented by a CDN service provider 106. The routine starts at block 500. At block 502, the CDN service provider 106 obtains traffic surge data for a source POP 116. The traffic surge data may include the traffic surge alerts generated by the CDN service provider 106 as well as any associated metadata, such as information regarding the underlying time periods for determining a traffic surge.

At block 504, the CDN service provider 106 determines whether a surged demand for target network resource group as indicated in the traffic surge data exceeds a spare capacity of the source POP 116. Illustratively, the CDN service provider 106 may estimate a current spare capacity of a POP 116 based on a maximum capacity of the POP for processing requests and a total volume of requests currently processed by the POP. For example, the estimated spare capacity may correspond to a difference between a maximum quantity of content requests that can be processed by the POP 116 (e.g., as limited by its networking or computational capacity) during a future time period and a total volume of requests processed at the POP during the most recent period of time. As described above, in some embodiments, a cushion capacity is reserved for each POP 116 and will reduce the maximum capacity for purposes of spare capacity estimation.

If the CDN service provider 106 determines that the source POP 116 has sufficient spare capacity to absorb the traffic surge (e.g., its estimated spare capacity exceeds the traffic surge request volume as reported in the traffic surge alert by a predetermined threshold measure), the routine proceeds to an end at block 510. Otherwise, at block 506, the CDN service provider 106 identifies one or more destination POPs 116 with spare capacity to spread the surged traffic. Illustratively, the CDN service provider 106 may initially identify a destination POP closest to the source POP among all the POPs 116. The determination of distance between the destination POP and source POP can be based on various factors, such as estimated spare capacity, geographic or network-based proximity to the source POP or clients generating the traffic surge, groups of resources currently being served, latency, bandwidth, reliability or performance factors, combinations of the same, or the like. In some embodiments, POPs 116 associated with a current traffic surge alert themselves are excluded from being identified as a destination POP.

In some embodiments, once a destination POP 116 is identified, the CDN service provider 106 calculates an aggregate spare capacity between the source and the identified destination POP(s). If the aggregate spare capacity is still not sufficient to absorb the traffic surge (e.g., the estimated traffic surge traffic exceeds the aggregate spare capacity), the CDN service provider 106 proceeds to identify a next closest destination POP among the remaining POPs. The CDN service provider 106 then adds to the aggregate spare capacity an estimated spare capacity of the newly identified destination POP and determines whether the updated aggregate spare capacity is sufficient to absorb the traffic surge. This process can be repeated many times until the aggregate spare capacity is sufficient.

In some embodiments, after all applicable destination POPs have been identified and corresponding spare capacity accounted for, the aggregate spare capacity may still be insufficient to absorb the traffic surge. In these embodiments, the CDN service provider 106 may cause routing of such surged traffic exclusively to a specific POP or set of POPs, thereby eliminating its impact on other POPs. Further, tarpitting or other network traffic control mechanisms can be implemented by the specific POP or set of POPs to ensure a certain level of service availability thereon.

At block 508, the CDN service provider 106 may cause routing of at least a portion of future traffic corresponding to the target resource group to identified destination POPs. Illustratively, the CDN service provider 106 may determine a policy or mechanism for routing incoming content requests for network resources corresponding to the target group, in accordance with the estimated spare capacities associated with the source POP and/or destination POPs. In some embodiments, the routing policy may correspond to a probabilistic or otherwise randomized decision scheme, where an incoming resource request is more likely to be routed to a POP associated with a larger spare capacity. The routing policy can be implemented for a future period of time, when at least some incoming requests for the target group will be routed to one of the destination POPs in accordance with the determined routing policy. The routine of FIG. 5 terminates at block 510.

FIG. 6 is a flowchart illustrative of a routine implemented by a CDN service provider 106 to conclude traffic surge mitigation. The routine starts at block 600. At block 602, while incoming traffic is routed in accordance with a traffic surge mitigation based routing policy or mechanism, the CDN service provider 106 determines an aggregate traffic volume for a resource group currently considered a target of traffic surge traffic. Illustratively, the CDN service provider 106 monitors request volumes for the target group received at the source and destination POPs as incoming traffic is routed during each time period. In doing so, the CDN service provider 106 may calculate an aggregate request volume for the target group based on respect volumes received at each applicable POP (e.g., by adding up respective request volumes received at each applicable POP during a most recent time period).

At block 604, the CDN service provider 106 decides whether to continue traffic surge mitigation based on the determined aggregate traffic volume. In some embodiments, the CDN service provider 106 may compare the aggregate traffic volume for a most recent time period to an estimated spare capacity of the source POP for the next time period, and determine whether the source POP may adequately process the aggregate volume (e.g., whether the source POP spare capacity exceeds the aggregate traffic volume by a predetermined margin). In some embodiments, the CDN service provider 106 may determine whether the aggregate traffic volume for a most recent period of time (or a weight average of aggregate volumes for a number of recent time periods) has returned to a level consistent with a traffic volume for the target group received at the source POP prior to the detection of traffic surge (e.g., not exceeding a maximum volume among a determined number of time periods prior to the detection of traffic surge).

If the CDN service provider 106 determines to continue the traffic surge mitigation, at block 606, the CDN service provider 106 causes adjustments to incoming traffic routing for the target group in a future time period based on the determined aggregate traffic volume. Similarly to relevant steps in the routine of FIG. 4, the CDN service provider 106 may determine whether a current aggregate spare capacity of the source and identified destination POPs is sufficient to absorb the aggregate traffic volume (e.g., whether the current aggregate spare capacity exceeds the aggregate traffic volume by a margin). If not, the CDN service provider 106 identifies additional destination POPs until the aggregate spare capacity is sufficient. In some embodiments, the CDN service provider 106 may remove one or more destination POPs currently in use, due to a surplus of aggregate spare capacity or other performance issues. Similarly to relevant steps in the routine of FIG. 4, in some embodiments, after all applicable destination POPs have been identified and corresponding spare capacity accounted for, the aggregate spare capacity may still be insufficient to absorb the aggregate traffic volume. In these embodiments, the CDN service provider 106 may cause routing of such traffic exclusively to a specific POP or set of POPs, thereby minimizing its impact on other POPs.

The CDN service provider 106 may modify the current policy or mechanism for routing incoming content requests for network resources corresponding to the target group, in accordance with currently estimated spare capacities associated with the source POP and/or destination POPs. The modified routing policy can be implemented for a future period of time, when at least some incoming requests for the target group will be routed to one of the destination POPs in accordance with the modified routing policy.

Referring back to block 604, if the CDN service provider 106 determines not to continue the mitigation, the routine of FIG. 6 proceeds to block 608. At block 608, the CDN service provider 106 causes a termination of the mitigation based incoming traffic routing for the target resource group. Illustratively, the CDN service provider 106 may cancel or deactivate relevant routing policies for offloading or spreading incoming traffic directed at the source POP for the target resource group. The routine of FIG. 6 ends at block 610.

FIG. 7 is an illustrative functional block diagram of a computing device for detecting and mitigating traffic surge. The computing device 700 can be a server or other computing device, and can comprise a processing unit 702, a network interface 704, a computer readable medium drive 706, an input/output device interface 708, and a memory 710. The network interface 704 can provide connectivity to one or more networks or computing systems. The processing unit 704 can receive information and instructions from other computing systems or services via the network interface 704. The network interface 704 can also store data directly to memory 710. The processing unit 702 can communicate to and from memory 710 and output information to an optional display 718 via the input/output device interface 708. The input/output device interface 708 can also accept input from the optional input device 720, such as a keyboard, mouse, digital pen, microphone, mass storage device, etc.

The memory 710 contains computer program instructions that the processing unit 702 executes in order to implement one or more embodiments. The memory 710 generally includes RAM, ROM, and/or other persistent, non-transitory computer readable media. The memory 710 can store an operating system 712 that provides computer program instructions for use by the processing unit 702 or other elements included in the computing device in the general administration and operation of the computing device 700. The memory 710 can further include computer program instructions and other information for implementing aspects of the present disclosure. For example, in one embodiment, the memory 710 includes traffic surge management software 714 that implements aspects of the present disclosure. The traffic surge management software 714 may illustratively correspond to all or some of the components of the request routing service 120, traffic surge detection service 130, traffic surge mitigation service 140 or other relevant components depicted in FIG. 1, or the illustrative routines of FIG. 4, 5 or 6.

The computing device 700 may further comprise traffic surge management hardware 730. The traffic surge management hardware 730 may illustratively implement aspects of the present disclosure, such as the components depicted in FIG. 1 or the illustrative routines of FIG. 4, 5 or 6. In some embodiments, the traffic surge hardware 730 may be implemented in part with the processing unit 702, the computer readable medium drive 706, or other elements of the computing device 700.

The elements included in the computing device 700 may be coupled by a bus 790. The bus 790 may be a data bus, communication bus, or other bus mechanism to enable the various components of the computing device 700 to exchange information. In some embodiments, the computing device 700 may include additional or fewer components than are shown in FIG. 7. For example, a computing device 700 may include more than one processing unit 702 and computer readable medium drive 706. In another example, the computing device 702 may not be coupled to a display 718 or an input device 720. In still another example, the traffic surge management software 714 or the traffic surge management hardware 730 may include various interdependent or independent subcomponents implementing different aspects of the present disclosure. In some embodiments, two or more computing devices 700 may together form a computer system for executing features of the present disclosure.

Depending on the embodiment, certain acts, events, or functions of any of the methods described herein can be performed in a different sequence, can be added, merged, or left out altogether (e.g., not all described acts or events are necessary for the practice of the algorithm). Moreover, in certain embodiments, acts or events can be performed concurrently, e.g., through multi-threaded processing, interrupt processing, or multiple processors or processor cores or on other parallel architectures, rather than sequentially.

The various illustrative logical blocks, modules and method elements described in connection with the embodiments disclosed herein can be implemented as electronic hardware, computer software or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. The described functionality can be implemented in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosure.

The various illustrative logical blocks and modules described in connection with the embodiments disclosed herein can be implemented or performed by a machine, such as a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor can be a microprocessor, but in the alternative, the processor can be a controller, microcontroller, or state machine, combinations of the same, or the like. A processor can also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

The elements of a method, process, or algorithm described in connection with the embodiments disclosed herein can be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module can reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM or any other form of computer-readable storage medium known in the art. A storage medium can be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium can be integral to the processor. The processor and the storage medium can reside in an ASIC. The ASIC can reside in a user terminal. In the alternative, the processor and the storage medium can reside as discrete components in a user terminal.

Conditional language used herein, such as, among others, “can,” “might,” “may,” “e.g.” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or states. Thus, such conditional language is not generally intended to imply that features, elements and/or states are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or states are included or are to be performed in any particular embodiment. The terms “comprising,” “including,” “having,” “involving” and the like are synonymous and are used inclusively, in an open-ended fashion, and do not exclude additional elements, features, acts, operations and so forth. Also, the term “or” is used in its inclusive sense (and not in its exclusive sense) so that when used, for example, to connect a list of elements, the term “or” means one, some or all of the elements in the list.

Disjunctive language such as the phrase “at least one of X, Y or Z,” unless specifically stated otherwise, is otherwise understood with the context as used in general to present that an item, term, etc., may be either X, Y or Z, or any combination thereof (e.g., X, Y and/or Z). Thus, such disjunctive language is not generally intended to, and should not, imply that certain embodiments require at least one of X, at least one of Y or at least one of Z to each be present.

Unless otherwise explicitly stated, articles such as “a” or “an” should generally be interpreted to include one or more described items. Accordingly, phrases such as “a device configured to” are intended to include one or more recited devices. Such one or more recited devices can also be collectively configured to carry out the stated recitations. For example, “a processor configured to carry out recitations A, B and C” can include a first processor configured to carry out recitation A working in conjunction with a second processor configured to carry out recitations B and C.

While the above detailed description has shown, described, and pointed out novel features as applied to various embodiments, it will be understood that various omissions, substitutions, and changes in the form and details of the devices or algorithms illustrated can be made without departing from the spirit of the disclosure. As will be recognized, certain embodiments described herein can be embodied within a form that does not provide all of the features and benefits set forth herein, as some features can be used or practiced separately from others. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope. 

What is claimed is:
 1. A computer-implemented method for detecting traffic surges on networks, the computer-implemented method comprising: under control of one or more computing devices configured with specific computer executable instructions, obtaining first data regarding requests for network resources received at a first point of presence (POP) of a plurality of POPs during a recent period of time, wherein the first data includes a first list of resource groups, wherein each resource group of the first list is associated with a first request volume of network resource requests associated with the resource group received at the first POP during the recent period of time, and wherein the first list of resource groups is ordered based on the associated first request volumes; comparing the first data against second data regarding requests for network resources received at the first POP during a second period of time before the recent period of time, wherein the second data includes a second list of resource groups, wherein each resource group of the second list is associated with a second request volume quantifying network resource requests corresponding to the resource group received at the first POP during the second period of time, and wherein the second list of resource groups is ordered based on the associated second request volumes; identifying a target resource group common to both the first and second lists as a resource group currently receiving flash crowd traffic based, at least in part, on the comparison between the first data and the second data, wherein the target resource group is ranked higher than a first threshold position in the first list and ranked lower than a second threshold position in the second list; and generating a traffic surge alert based on the identified target resource group.
 2. The computer-implemented method of claim 1, wherein the second period of time immediately precedes the recent period of time.
 3. The computer-implemented method of claim 1, wherein the target resource group corresponds to at least one of a Web page, Web application, Web site, domain, or subdomain.
 4. The computer-implemented method of claim 1, wherein the first threshold position is predetermined.
 5. The computer-implemented method of claim 1, wherein the first threshold position is higher in ranking than the second threshold position.
 6. The computer-implemented method of claim 1, wherein the first request volume associated with the target resource group is larger in quantity than the second request volume associated with the target resource group.
 7. The computer-implemented method of claim 1, wherein identifying the target resource group further comprises computing a difference or ratio between the first request volume associated with the target resource group and the second request volume associated with the target resource group.
 8. The computer-implemented method of claim 7, wherein identifying the target resource group further comprises determining whether the difference or ratio satisfies a threshold criterion.
 9. The computer-implemented method of claim 8, wherein the threshold criterion is based, at least in part, on the second request volume associated with the target resource group.
 10. The computer-implemented method of claim 1, wherein identifying the target resource group is further based on a rate of change in request volume.
 11. A non-transitory computer readable storage medium storing computer executable instructions that when executed by a processor perform operations comprising: identifying a target resource group from a first list of resource groups, wherein each resource group of the first list of resource groups is associated with a first request volume for network resource requests for the respective resource group received at a point of presence (POP) during a first period of time; locating the target resource group within a second list of resource groups, wherein each resource group of the second list of resource groups is associated with a second request volume for network resource requests for the respective resource group received at the POP during a second period of time, and wherein the second period of time precedes the first period of time; determining that the target resource group is receiving a traffic surge at the POP based, at least in part, on a difference between the first request volume and the second request volume; and generating an indication based on the determined target resource group receiving a traffic surge.
 12. The non-transitory computer readable storage medium of claim 11, wherein identifying the target resource group comprises identifying the target resource group based, at least in part, on a first ranking of the target resource group.
 13. The non-transitory computer readable storage medium of claim 12, wherein identifying the target resource group further comprises determining that the first ranking is higher than a threshold ranking.
 14. The non-transitory computer readable storage medium of claim 11, wherein determining the target resource group as receiving traffic surge comprises determining that the difference between the first request volume and second request volume is larger than a threshold value.
 15. The non-transitory computer readable storage medium of claim 11, wherein the second period of time and the first period of time correspond to consecutive time periods.
 16. The non-transitory computer readable storage medium of claim 11, wherein the operations further comprise locating the target resource group within a third list of resource groups, wherein each resource group of the third list of resource groups is associated with a third request volume quantifying network resource requests corresponding to the respective resource group received at the POP during a third period of time, and wherein the third period of time precedes the second period of time.
 17. The non-transitory computer readable storage medium of claim 16, wherein determining the target resource group as receiving a traffic surge is further based, at least in part, on a difference between the first request volume and the third request volume.
 18. A system comprising: at least one data store configured to at least store computer-executable instructions; and at least one processor in communication with the data store, the processor configured to execute the computer-executable instructions to at least: identify a target resource group from a first list of resource groups, wherein the resource groups of the first list of resource groups are associated with a first request volume quantifying network resource requests corresponding to the resource group received at a point of presence (POP) during a first period of time; obtain data regarding a plurality of second lists of resource groups, wherein the second lists correspond to respective second periods of time preceding the first period of time, and wherein the resource groups of each second set are associated with a respective second request volume quantifying network resource requests corresponding to the resource group received at the POP during a corresponding second period of time; locate the target resource group within at least one of the second lists; determine that the target resource group is receiving a traffic surge based, at least in part, on a difference between an attribute of a first request volume associated with the target resource group and a function of respective second request volume attributes of the target resource group within at least a subset of the plurality of second lists of resource groups; and generate an indication based on the determined target resource group receiving a traffic surge.
 19. The system of claim 18, wherein the computer-executable instructions further determine a reference request volume for the target resource group based, at least in part, on one or more second request volumes associated with the target resource group.
 20. The system of claim 19, wherein computer-executable instructions further determine that the target resource group is receiving a traffic surge based at least in part on a relationship between the first request volume associated with the target resource group and the reference request volume. 